Resolving .gov w/dnssec
Paul Wouters
paul at xelerance.com
Thu Apr 22 14:03:43 UTC 2010
On Thu, 22 Apr 2010, Timothe Litt wrote:
> I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
> configured as valdidating resolvers.
>
> Using dig, I get a connection timeout error after a long (~10 sec) delay.
> +cdflag provides an immediate response.
> Is anyone else seeing this? Ideas on how to troubleshoot?
I have the same problems with our validating unbound instance. The logs show:
Apr 21 18:03:54 nssec unbound: [19439:1] info: validation failure <DNS2.uspto.gov. A IN>
Apr 21 18:03:54 nssec unbound: [19439:1] info: validation failure <uspto.gov. NS IN>
Apr 21 18:03:54 nssec unbound: [19439:1] info: validation failure <DNS1.uspto.gov. A IN>
Apr 22 09:45:32 nssec unbound: [19439:0] info: validation failure <uspto.gov. A IN>
Apr 22 09:45:34 nssec unbound: [19439:1] info: validation failure <DNS2.uspto.gov. A IN>
Apr 22 09:45:34 nssec unbound: [19439:1] info: validation failure <uspto.gov. A IN>
Apr 22 09:45:34 nssec unbound: [19439:1] info: validation failure <uspto.gov. NS IN>
Apr 22 09:45:34 nssec unbound: [19439:1] info: validation failure <DNS1.uspto.gov. A IN>
Apr 22 09:46:36 nssec unbound: [19439:1] info: validation failure <www.uspto.gov. A IN>
Apr 22 09:50:38 nssec unbound: [19439:1] info: validation failure <www.uspto.gov. A IN>
Apr 22 09:52:35 nssec unbound: [19439:1] info: validation failure <uspto.gov. A IN>
Apr 22 09:57:53 nssec unbound: [19439:1] info: validation failure <uspto.gov. DNSKEY IN>
As far as I can tell (including a quick check with dnscheck --test=dnssec,
everything works out, but apparently some data in the zone does not
validate, at last not with the records cached at the time. I do have a
copy of the unbound cache if someone wants to do a post-mortem of validating
all the cached records crypto....
Paul
More information about the bind-users
mailing list